Re: Encryption newbie - Same length encrypted result

From: Luc The Perverse (sll_noSpamlicious_z_XXX_m_at_cc.usu.edu)
Date: 10/22/05 

Date: Sat, 22 Oct 2005 07:29:23 -0600

"TC" <aatcbbtccctc@yahoo.com> wrote in message
news:1129958381.934318.134840@f14g2000cwb.googlegroups.com...
> I'm a software guy with an amateur interest in encryption. One thing I
> can tell you is, you are very likely to make serious implementation
> mistakes, unless you really know what you are doing. It sounds to me,
> as if you just don't have enough knowledge of the subject, yet, to do
> it confidently. Crypto is unlike normal software problems. You can
> /think/ that it is working properly, whereas in fact, you have made a
> huge error (of some kind) that an experienced person could exploit in
> seconds flat.
>
> If you're storing millions of CC numbers, you'd better be /prettey damn
> sure/ that your implementation is up to professional crypto levels.
> IMHO, for something as important as CC numbers, you should hire an
> expert to do, or oversee, this part, for you.
>
> HTH,
> TC

It seems to me the limitation of output length being the same as input
length is some kind of a restriction that has been invented to try to allow
some amateur programming inadequacies to continue.

Your encrypted database, should not be the same as you unencrypted database,
with the exception that the numbers are just scramble

What is the threat you are trying to prevent? Someone stealing the server?
A computer user looking at the DB? Virus?

The problem with the setup is this. Any virus smart enough to penetrate
your system and export the credit card database, is going to be taylor-made
and smart enough to also grab your encryption key while it is in there ;) 

-- 
"It's better to have rocked and lost than never to have rocked at 
all." -John Flansburgh

Relevant Pages

  • Re: JSH: Problem space, counting down on DMESE
    ... be that math, encryption, or anything else. ... That's especially true for the major problems in a subject - you can ... An amateur is exceedingly unlikely to find a short proof of FLT, ...
    (sci.math)
  • Re: Amateur incryption?
    ... Is encryption allowed by hams? ... FCC rule saying an amateur cannot encrypt a message. ... There are a number of digital modes, both voice and data, and you may ... I am familiar with the digital modes and have monitored them extensively ...
    (rec.radio.shortwave)
  • Re: Newbie - Is this Reasonable?
    ... because this hash is stored in the database. ... So you use PKCS5v2 to generate a key hash from a salt and the user's passphrase, then store the salt and the hash in a database. ... are even more critical in database applications because the payoff from tampering with selected fields may be much higher, fields tend to be fixed-length so it's easier to tamper with them in a meaningful way, and databases lend themselves to off-line analysis, so the attacker can marshall more resources and take more time to attack your system. ... You're using a stream cipher for encryption. ...
    (sci.crypt)
  • 2005-Problem restoring database with encrypted columns to diff ser
    ... I need to start encrypting several fields in a database and have been doing ... OPEN MASTER KEY DECRYPTION BY PASSWORD = 'testAppleA3'; ... ALTER MASTER KEY ADD ENCRYPTION BY SERVICE MASTER KEY; ... encryption by certificate test; ...
    (microsoft.public.sqlserver.security)
  • Re: Protecting an Access Database
    ... because I want to make my database more secure. ... I see...So I guess that not even encryption (which I have ... I think Microsoft could have created a built-in encryption function within ...
    (microsoft.public.access.security)